A newly disclosed vulnerability in Kibana, the popular open-source data visualization front-end for Elasticsearch, has been rated CVSS 8.7 due to its potential to allow remote code injection under specific circumstances. Tracked as CVE-2024-12556, the flaw stems from a prototype pollution issue that, when paired with path traversal and unrestricted file upload, creates a dangerous opportunity for attackers to gain code execution within vulnerable Kibana environments.
Prototype pollution is a vulnerability unique to JavaScript and Node.js applications. It allows an attacker to manipulate an objectβs prototype and introduce or overwrite properties that shouldnβt exist. This can cause downstream functions to behave unpredictably, and in the worst cases, open pathways for arbitrary code execution.
In the case of Kibana, this vulnerability is made even more dangerous when itβs chained with file upload and path traversal vectors, allowing attackers to:
Upload a file with malicious contentTraverse directories to write to unintended locationsPollute object prototypes in ways that affect server logicUltimately execute injected codeβPrototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal,β the security advisory warns.
The issue affects Kibana versions from 8.16.1 through 8.17.1, and users are strongly urged to upgrade to version 8.16.4 or 8.17.2 to mitigate the risk.
For users who cannot immediately upgrade their Kibana installations, a temporary mitigation is available:
Disable Integration Assistant: Users who must remain on version 8.16.1 can disable the integration assistant by adding the line xpack.integration_assistant.enabled: false to their kibana.yml configuration file.